I'm probably missing something glaringly obvious..... but I can't see it.
The ACLs say I can list the contents of a directory in my pool, but I can't. I just can't see what it could be. Until I can fix this, I can't let other users access the file server so it's quite 'in the way'. Help very appreciated if anyone can suggest what's up and a fix!
Here's the
I try to access
The world permission on that dir is
I looked at more global settings:
Completely ordinary, nothing out of place.
What have I missed?
Note - this is crossposted: I unsuccessfully asked on a general Unix related site a while back, but it's still a complete puzzle and 'blocker' so I'm hoping for help here!
The ACLs say I can list the contents of a directory in my pool, but I can't. I just can't see what it could be. Until I can fix this, I can't let other users access the file server so it's quite 'in the way'. Help very appreciated if anyone can suggest what's up and a fix!
Here's the
getfacl
output on the problem dir and its parent + grandparent: # getfacl /mnt/data_dir/working_dir/
# owner: root
# group: wheel
group:data_managers:-w-pDd--------:-------:deny
everyone@:r-------------:-------:allow
group:data_managers:rwxpDda-R-c---:fd-----:allow
owner@:--------------:fd-----:allow
group@:--------------:fd-----:allow
everyone@:--x-----------:-d-----:allow
# file: /mnt/data_dir
# owner: root
# group: wheel
owner@:rwxpDdaARWcCos:fd-----:allow
group@:rwxpDdaARWcCos:fd-----:allow
everyone@:r-x---a-R-c---:fd-----:allow
# file: /mnt
# owner: root
# group: wheel
user::rwx
group::r-x
other::r-x
I try to access
working_dir
as the newly created account having the ACL issue. This account is not the owner of any relevant dirs, nor a member of wheel
or data_managers
, so its only rights stem from the "everyone (world)" permissions/ACLs. $ su -f restricted_user
% id
uid=1100(restricted_user) gid=65533(nogroup) groups=65533(nogroup),4003(restricted_users)
% pwd
/mnt/data_dir/working_dir
% ls
ls: .: Permission denied
The world permission on that dir is
everyone@:r .....
(inheritance downward to subdirs for x
but not r
). r
should give worldwide rights to read the contents of working_dir
. The account is not a member of data_managers
and even if it was, no ACE (higher or lower) is denying r
or x
. The restricted account has read and traverse permissions on it and its parent and neither read nor traverse are denied in other ACEs. I can traverse to it. But I can't read its contents.I looked at more global settings:
# zfs get all data_dir | grep acl
data_dir aclmode restricted local
data_dir aclinherit passthrough local
# zfs get all data_dir/working_dir | grep acl
data_dir/working_dir aclmode restricted local
data_dir/working_dir aclinherit passthrough inherited from data_dir
# mount | grep data_dir
data_dir on /mnt/data_dir (zfs, local, noatime, nfsv4acls)
data_dir/working_dir on /mnt/data_dir/working_dir (zfs, local, noatime, nfsv4acls)
Completely ordinary, nothing out of place.
What have I missed?
Note - this is crossposted: I unsuccessfully asked on a general Unix related site a while back, but it's still a complete puzzle and 'blocker' so I'm hoping for help here!
Last edited: